Please help. I have suddenly picked up something which is bombarding my PC with pop up's, they often come in flurries and it means I can't use Word too well as when they appear the input focus moves to the pop up window.

There seems to be no requirement to have IE running, nor to be connected to the internet. Using Win XPPro, am on NTL broadband

I have run Ad-Aware several times, both when the PC is running and set for when it boots up.

Similarly SpyBot and PestControl.

They detect and delete registry entries etc. for PurityScan. I have done a www search for that and my symptoms match exactly. Have followed all the advice on how to delete and manually delete that I found online.

Have done a Symantec Virus search and the TrendMicro, both come up clean.

I have the firewall in place and messenger disabled, System Restore off.

Have done everything I can think of to rid myself of this bug but it has proven very persistant and I'm approaching my wits end.

Any thoughts anyone? Please!? :{

I presume you've done something like This? (http://www.cexx.org/winservs.htm)

Yes 'fraid so, one of the first places I looked. Mutter mutter mutter.

Hi BDiONU,

Please download 'Hijack This!' from here (http://mjc1.com/mirror/hjt/), unzip, and place it in it’s own folder, (not in the temp folder) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.

This will give me a rundown of what’s going on in your PC. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.

Although I didn't intend to do these here, I'll use it as an instructional thread, and explain what I'm doing throughout, so everyone gets to learn a bit more about this scum that keeps attacking PCs. I'll also put in the links to the various databases/sites that I use for reference etc. and then that will give the forum members a chance to carry out their own scumware audit.

To the PPruner.. I won't make a habit of this.. :) but I will make it easy to follow and informative.. :ok:

Cheers

Liam

Can't tell you how much I appreciate the help! Tried to paste the log but PPrune wouldn't allow it, too many images!! Have sent you a PM in the hope thats OK?

BDi

Hi,

Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe

Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and delete the entire contents of the C:\Windows\Temp folder, but not the folder itself. Next please find and delete the following bolded file...

C:\WINDOWS\System32\wnsintcc.exe

Then please boot back into normal mode and post a new log, just to make sure. That should be you sorted out regards popups. This seems to be a new strain of executables causing multiple popups, and although the filename is ultimately random, they usually look like this..

wnxxxxxx.exe (random string length)

..to make them look as though they are genuine Windows files at first glance.

I do however urge anyone who wants to suddenly delete any files that look like this to proceed with caution..!!!!!!!!!

Cheers

Liam

E-Liam I now consider you something of an internet Guru! It seems to be fixed! Thank you very much indeed! I wonder where the H*ll it came from? I did find this morning a file in my documents & setting folder which the www informed was summat to do with Buddylink and a saddam message. Deleted that and the registry entry (kids whilst I was on holiday). I'd never have found this other and none of the programs out there seem able to detect it!

I owe you several beers! Thank you very much!

BDi

You're welcome BDi.. :):ok:

I do this security stuff several hours a day, so apart from being able to fix people up, I also see the latest threats before a lot of the security program writers do. I'm sure the guys at Lavasoft and Kolla are working to get this particular nasty into the next update, so hopefully it shouldn't be a problem in a week or so... but it's nice to get in there first. :D

It probably got in by driveby download. In order to protect yourself against a similar occurence, go to Start | Settings | Control Panel | Internet Options | Advanced(tab) and uncheck both the Install on demand choices in the Browsing section. It's not perfect, but it will help.

Cheers

Liam

Ahah! I had the Install on Demand (Internet Explorer) disabled but was unaware of the Other option! DOH!
So an early virus/bug/nasty, I'd feel almost priviliged but it was a real nightmare and seemed to come out of left field!

Thanks again for your inestimable help! :ok:

BDi